By Sean Melbourne and Elena Nelyubina

Businesses know the convenience of having data at their fingertips. These days even one-person operations have customers’ phone numbers and suppliers’ email addresses readily available on a mobile device. Ready data access is essential to keep up with the pace of business.  

The downside of having easy access to personal data is that it is more vulnerable to hackers, thieves or being sent accidentally to third parties. Businesses now have new obligations under Australia’s Notifiable Data Breach scheme, designed to minimise the negative impact of personal data falling into the wrong hands and to make data breaches more transparent.


The scheme came into effect last month. It requires many organisations to take specified actions when:

  • an unauthorised third party obtains its personal information; and
  • the breach is likely to cause serious harm to those to whom the information relates.

There’s no clear definition of what constitutes ‘serious harm’ but it needn’t extend just to financial or physical harm.

Don’t forget that personal data doesn’t mean just customer data. It also applies to personal information relating to employees, staff and other external parties.


NDB applies to:

  • Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of $3 million or more
  • Some small business operators, as explained below.



Any organisation with annual turnover of $3 million must comply with the NDB scheme.

Most small businesses don’t hit the $3 million turnover threshold so are largely unaffected by the scheme, however

Small businesses falling under the categories described above, also must comply with the scheme, including:

  • Private sector health service providers
  • Organisations that trade in personal information
  • Credit reporting bodies
  • Employee associations under the Fair Work Act 2009

Additionally, if a small business carries on any of the following activities it must comply with the NDB scheme, but only in relation to personal information held by the entity for the purpose of, or in connection with, those activities:

  • Provision of services to the Commonwealth under a contract
  • Operating a residential tenancy database
  • Reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • Conducting a protected action ballot
  • Holding tax file numbers (therefore, any entity which employs staff)
  • Retaining information under the mandatory retention scheme, as prescribed by the Telecommunications (Interception and Access) Act 1979.

Legal risks aside, there are of course reputational risks to having personal information going astray. If you’re a small operator, for instance, and your mobile phone goes missing you’re at risk of customers’ phone numbers, email addresses and physical addresses falling into the wrong hands. The results can be embarrassing; no customer is going to recommend you to friends and family if they know you’ve shared their personal information, even if it’s accidental.

And if you’re an ambitious small business with plans to get bigger, it’s worth starting to think about managing risks relating to how you store and access personal data. That way you’ll be prepared when your income does exceed $3 million.


If you need to comply with the NDB and personal information held by your business gets accessed by another party you should notify the Office of the Australian Information Commissioner and all individuals likely to be at risk of harm from the breach. These notifications should:

  • Identify the contact details of your organisation
  • Describe the data breach
  • Outline the kinds of information concerned
  • Make recommendations about steps individuals should take in response

It’s not always easy to know if a data breach has occurred, especially if you’re not a large organisation with expensive firewalls and access to IT staff/consultants. The key is to issue notifications as soon as you become aware of the breach. Obviously the sooner you find out, the less risk there is of the breach causing damage.


Of course, the best plan of attack is to minimise the risk of having your data retrieved by others. Regardless of whether you are subject to the NDB, it’s prudent to ask yourself a few questions:

  • How do you store your customers’ data and how widely is it shared? Is it stored on the cloud and on mobile devices or contained to one device which is kept at the office?
  • What safeguards do you have in place to protect that information? Do you have suitable passwords and security software in place to protect against hacking?
  • Are you prepared to take suitable remedial actions should customers’ personal information be obtained by an unauthorised third party? For example, can you easily notify affected customers should someone else get hold of their data? Should you consider preparing an NDB response plan?

If you want to know whether your business needs to comply with the NDB contact Sean Melbourne.

By | Published On: 8th March, 2018 | Categories: Other legal services, Guides |